CyberPanel: Attackers can infiltrate malicious code

Two security vulnerabilities have been reported in the CyberPanel control panel software for managing (web) servers. They allow attacks with cross-site scripting or the infiltration of malicious code.

One of the vulnerabilities allows cross-site scripting via tokens or usernames in plogical/phpmyadminsignin.php (CVE-2024-56112). This means that users can be infected with code that is executed in their context using manipulated links, for example. The developers fixed the vulnerability in the source code on November 11.

Remote command injection

The second vulnerability affects CyberPanel prior to version 2.3.8 and allows malicious actors to inject and execute arbitrary commands with shell meta characters in the phpSelection field from the websites/submitWebsiteCreation URI after logging into the software (CVE-2024-53376).

Version 2.3.8 of CyberPanel was released on November 1st. The cross-site scripting vulnerability is apparently no longer included in version 2.3.9, although it is not explicitly listed in the changelog – However, the same also applies to the command injection vulnerability that already seals the previous version.

A risk assessment of the vulnerabilities is not yet available in the CVE entries. However, the CERT-Bund of the German Federal Office for Information Security (BSI) calculates a CVSS value of 8.8, which corresponds to a high risk and only just misses the highest risk classification of "critical".

IT managers with CyberPanel installations should promptly initiate the upgrade in order to set up the latest software version with security patches and thus reduce the attack surface on their network.

At the end of November, attacks by the ransomware gang PSAUX on servers with CyberPanel became known. They attempted to exploit two vulnerabilities in the control panel software that were classified as critical risks. Around 22,000 instances were attacked in the process. Version 2.3.8 of CyberPanel had closed the gaps.

(dmk)